jf atc permanently breaks cli auth generated via jf login

[StephenWithPH]

Describe the bug

Having authenticated the cli using jf login, then invoked jf atc, future invocations of jf atc or jf rt ping fail with:

09:42:30 [🚨Error] Refresh access token failed: server response: 404 Not Found
{
  "errors": [
    {
      "code": "NOT_FOUND",
      "message": "Token matching the provided refresh token was not found."
    }
  ]
}

Current behavior

Initial State

• jfrog cli has no config:

  cat ~/.jfrog/jfrog-cli.conf.v6
  {
      "servers": [],
      "version": "6"
  }

• Logged in to JFrog web UI with username and password.
• No tokens visible at https://<JFrog Platform URL>/ui/admin/configuration/security/access_tokens

Authenticate jfrog cli via Web UI

• jf login, providing JFrog Platform URL when prompted, accepting default values, and successfully completing code prompt entry.
• jfrog cli has config:

  cat ~/.jfrog/jfrog-cli.conf.v6
  {
      "servers": [
          {
              "url": "https://<JFrog Platform URL>/",
              "artifactoryUrl": "https://<JFrog Platform URL>/artifactory/",
              "distributionUrl": "https://<JFrog Platform URL>/distribution/",
              "xrayUrl": "https://<JFrog Platform URL>/xray/",
              "missionControlUrl": "https://<JFrog Platform URL>/mc/",
              "pipelinesUrl": "https://<JFrog Platform URL>/pipelines/",
              "user": <redacted>,
              "accessToken": <redacted>,
              "refreshToken": <redacted>,
              "serverId": <redacted>,
              "isDefault": true,
              "webLogin": true
          }
      ],
      "version": "6"
  }

• One token visible at https://<JFrog Platform URL>/ui/admin/configuration/security/access_tokens:
  • token id: "b2c050ab-b04b-4f1f-a3fe-e8789716f7b5"

Create access token for use in scripting with jfrog cli

    JFROG_CLI_LOG_LEVEL=DEBUG jf atc

    09:19:15 [Debug] JFrog CLI version: 2.52.10
    09:19:15 [Debug] OS/Arch: darwin/arm64
    09:19:15 [Debug] Usage Report: Sending info...
    09:19:15 [Debug] Refreshing token...
    09:19:15 [Debug] Creating lock in: <redacted>
    09:19:30 [Debug] Sending HTTP POST request to: https://<JFrog Platform URL>/access/api/v1/tokens
    09:19:30 [Debug] Releasing lock: <redacted>
    09:19:30 [Debug] Sending HTTP POST request to: https://<JFrog Platform URL>/access/api/v1/tokens
    09:19:30 [Debug] Refreshing token...
    09:19:30 [Debug] Creating lock in: <redacted>
    09:19:30 [Debug] Fetched new token from config.
    09:19:30 [Debug] Releasing lock: <redacted>
    09:19:30 [Debug] Sending HTTP GET request to: https://<JFrog Platform URL>/artifactory/api/system/version
    09:19:31 [Debug] Artifactory response: 200
    09:19:31 [Debug] JFrog Artifactory version is: 7.81.2
    09:19:31 [Debug] Refreshing token...
    09:19:31 [Debug] Creating lock in: <redacted>
    09:19:46 [Debug] Sending HTTP POST request to: https://<JFrog Platform URL>/access/api/v1/tokens
    09:19:46 [Debug] Releasing lock: <redacted>
    09:19:46 [Debug] Couldnt send usage info. Error: Refresh access token failed: server response: 404 Not Found
    {
        "errors": [
            {
                "code": "NOT_FOUND",
                "message": "Token matching the provided refresh token was not found."
            }
        ]
    }
    {
        "scope": "applied-permissions/user",
        "access_token": <redacted>,
        "expires_in": 28800,
        "token_type": "Bearer",
        "token_id": "8715eabd-680b-4d4f-b626-eb31aeef1601"
    }

• A new token is created, but the 404 not found json also going to stdout renders this operation useless for scripting.

• jfrog cli has config:

  cat ~/.jfrog/jfrog-cli.conf.v6
  {
      "servers": [
          {
              "url": "https://<JFrog Platform URL>/",
              "artifactoryUrl": "https://<JFrog Platform URL>/artifactory/",
              "distributionUrl": "https://<JFrog Platform URL>/distribution/",
              "xrayUrl": "https://<JFrog Platform URL>/xray/",
              "missionControlUrl": "https://<JFrog Platform URL>/mc/",
              "pipelinesUrl": "https://<JFrog Platform URL>/pipelines/",
              "user": <redacted>,
              "accessToken": <redacted>,
              "refreshToken": <redacted>,
              "artifactoryRefreshToken": <redacted>,
              "serverId": <redacted>,
              "isDefault": true,
              "webLogin": true
          }
      ],
      "version": "6"
  }

  • the value of refreshToken is unchanged from the value after initial jf login
  • there is a new artifactoryRefreshToken

• Two tokens visible at https://<JFrog Platform URL>/ui/admin/configuration/security/access_tokens:

  • token id: "6dfeeffd-9ead-4436-83c2-fe64cc636add"
    • this appears to have replaced the token id "b2c050ab-b04b-4f1f-a3fe-e8789716f7b5" created by the initial jf login
  • token id: "8715eabd-680b-4d4f-b626-eb31aeef1601"
    • this correponds to the token output from jf atc above

Attempt to create another access token for use in scripting with jfrog cli

JFROG_CLI_LOG_LEVEL=DEBUG jf atc

09:36:06 [Debug] JFrog CLI version: 2.52.10
09:36:06 [Debug] OS/Arch: darwin/arm64
09:36:06 [Debug] Usage Report: Sending info...
09:36:06 [Debug] Refreshing token...
09:36:06 [Debug] Creating lock in: <redacted>
09:36:21 [Debug] Sending HTTP POST request to: https://<JFrog Platform URL>/access/api/v1/tokens
09:36:21 [Debug] Releasing lock: <redacted>
09:36:21 [Debug] Refreshing token...
09:36:21 [Debug] Creating lock in: <redacted>
09:36:36 [Debug] Sending HTTP POST request to: https://<JFrog Platform URL>/access/api/v1/tokens
09:36:36 [Debug] Releasing lock: <redacted>
09:36:36 [Debug] Couldnt get Artifactory version. Error: Refresh access token failed: server response: 404 Not Found
{
    "errors": [
        {
            "code": "NOT_FOUND",
            "message": "Token matching the provided refresh token was not found."
        }
    ]
}
09:36:36 [🚨Error] Refresh access token failed: server response: 404 Not Found
{
    "errors": [
        {
            "code": "NOT_FOUND",
            "message": "Token matching the provided refresh token was not found."
        }
    ]
}

• jfrog cli has config:

  cat ~/.jfrog/jfrog-cli.conf.v6
  {
      "servers": [
          {
              "url": "https://<JFrog Platform URL>/",
              "artifactoryUrl": "https://<JFrog Platform URL>/artifactory/",
              "distributionUrl": "https://<JFrog Platform URL>/distribution/",
              "xrayUrl": "https://<JFrog Platform URL>/xray/",
              "missionControlUrl": "https://<JFrog Platform URL>/mc/",
              "pipelinesUrl": "https://<JFrog Platform URL>/pipelines/",
              "user": <redacted>,
              "accessToken": <redacted>,
              "refreshToken": <redacted>,
              "artifactoryRefreshToken": <redacted>,
              "serverId": <redacted>,
              "isDefault": true,
              "webLogin": true
          }
      ],
      "version": "6"
  }

  • the value of refreshToken is unchanged from the value after initial jf login
  • there value of artifactoryRefreshToken is unchanged from its value after appearing subsequent to the first jf atc

• The two tokens visible at https://<JFrog Platform URL>/ui/admin/configuration/security/access_tokens are unchanged from their values after the first jf atc:

  • token id: "6dfeeffd-9ead-4436-83c2-fe64cc636add"
  • token id: "8715eabd-680b-4d4f-b626-eb31aeef1601"

• Other cli commands are now broken:

  jf rt ping
  09:42:30 [🚨Error] Refresh access token failed: server response: 404 Not Found
  {
      "errors": [
          {
              "code": "NOT_FOUND",
              "message": "Token matching the provided refresh token was not found."
          }
      ]
  }

Reproduction steps

See above.

Expected behavior

Having authenticated the cli using jf login, can repeatedly invoke jf atc as needed, receiving no errors and a valid token that can be used, e.g:

curl -H "Authorization: Bearer $(jf atc --expiry 60 | jq --raw-output '. | .access_token')" https://<JFrog Platform URL>/access/api/v1/tokens

JFrog CLI version

jf version 2.52.10

Operating system type and version

darwin/arm64 14.4 (23E214)

JFrog Artifactory version

SaaS

JFrog Xray version

SaaS

[RobiNino]

Hi @StephenWithPH , Thank you for reporting this issue. I created https://github.com/jfrog/jfrog-cli-core/pull/1177 to fix the issue with refreshing the tokens.

As for the error going to stdout, I verified that errors thrown from the usage report are always reported to the debug log that defaults to stderr. Can you make sure that you don't have logs printed to stdout?

Thanks

[StephenWithPH]

As for the error going to stdout, I verified that errors thrown from the usage report are always reported to the debug log that defaults to stderr. Can you make sure that you don't have logs printed to stdout?

I likely failed to unset some redirection while I was debugging / repro'ing to open the issue. I apologize.